diff --git a/README.md b/README.md index 7608202..c102b84 100644 --- a/README.md +++ b/README.md @@ -6,4 +6,4 @@ May also include some dummy nodes, for example for deploying websites onto shared webhosting. `bw test` runs according to Jenkinsfile after every commit. -[![Build Status](https://jenkins.kunsmann.eu/buildStatus/icon?job=bundlewrap%2Fmain)](https://jenkins.kunsmann.eu/job/bundlewrap/job/main/) +[![Build Status](https://jenkins.franzi.business/buildStatus/icon?job=kunsi%2Fbundlewrap%2Fmain)](https://jenkins.franzi.business/job/kunsi/job/bundlewrap/job/main/) diff --git a/bundles/check-mail-received/files/check_imap_for_mail_from b/bundles/check-mail-received/files/check_imap_for_mail_from new file mode 100644 index 0000000..f8db136 --- /dev/null +++ b/bundles/check-mail-received/files/check_imap_for_mail_from @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 + +from imaplib import IMAP4_SSL +from subprocess import check_output +from sys import argv, exit +from time import time + +if len(argv) < 5: + print('Usage: {} '.format(argv[0])) + exit(3) + +NOW = time() + +try: + imap = IMAP4_SSL(argv[1]) + imap.login(argv[2], argv[3]) + + imap.select('Inbox') + + _, data = imap.search(None, 'ALL') + + something_found = False + + for item in data: + for index in item.split(): + received_in_this_mail = None + from_in_this_mail = False + + try: + message = imap.fetch(index, '(RFC822)') + + message_text = bytearray() + for part in message[1][0]: + message_text.extend(part) + message_text = message_text.decode().splitlines() + + for line in message_text: + lline = line.strip().lower() + + if lline.startswith('from:') and argv[4].lower() in line: + from_in_this_mail = True + + if lline.startswith('date:'): + date = line.strip()[5:].strip() + unixtime = int(check_output([ + 'date', + '--date={}'.format(date), + '+%s', + ]).decode().strip()) + + if unixtime > (NOW-(60*60*25)): + received_in_this_mail = date + + if received_in_this_mail and from_in_this_mail: + print('Found message from "{}" sent at "{}"'.format(argv[4], received_in_this_mail)) + received_in_this_mail = None + from_in_this_mail = False + something_found = True + except: + pass + + if something_found: + # there should be output above + exit(0) + + print('No Mails found') + exit(2) +except Exception as e: + print(repr(e)) + exit(3) diff --git a/bundles/check-mail-received/items.py b/bundles/check-mail-received/items.py new file mode 100644 index 0000000..ed76f80 --- /dev/null +++ b/bundles/check-mail-received/items.py @@ -0,0 +1,5 @@ +files = { + '/usr/local/share/icinga/plugins/check_imap_for_mail_from': { + 'mode': '0755', + }, +} diff --git a/bundles/check-mail-received/metadata.py b/bundles/check-mail-received/metadata.py new file mode 100644 index 0000000..0eb666d --- /dev/null +++ b/bundles/check-mail-received/metadata.py @@ -0,0 +1,41 @@ +@metadata_reactor.provides( + 'cron/check-mail-received', + 'icinga2_api/check-mail-received/services', +) +def process_metadata(metadata): + cron = set() + services = {} + + my_mail_address = 'root@{}'.format(metadata.get('hostname')) + + for name, config in metadata.get('check-mail-received', {}).items(): + cron.add('{minute} {hour} * * * root date | mail -s "daily test mail from {node}" -r {source} {target}'.format( + minute=node.magic_number%60, + hour=node.magic_number%24, + node=node.name, + source=my_mail_address, + target=config['email'], + )) + + services[f'MAIL RECEIVED ON {name}'] = { + 'command_on_monitored_host': repo.libs.faults.join_faults([ + '/usr/local/share/icinga/plugins/check_imap_for_mail_from', + config['imap_host'], + config.get('imap_user', config['email']), + config['imap_pass'], + my_mail_address, + ]), + 'check_interval': '15m', + 'retry_interval': '5m', + } + + return { + 'cron': { + 'check-mail-received': '\n'.join(sorted(cron)), + }, + 'icinga2_api': { + 'check-mail-received': { + 'services': services, + }, + }, + } diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py index f24768f..faf3578 100644 --- a/bundles/gitea/items.py +++ b/bundles/gitea/items.py @@ -21,6 +21,11 @@ directories = { 'owner': 'git', 'group': 'git', }, + '/home/git/.ssh': { + 'mode': '0755', + 'owner': 'git', + 'group': 'git', + }, '/var/lib/gitea': { 'owner': 'git', 'mode': '0700', diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index e18b9fd..26eebac 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -2,6 +2,7 @@ defaults = { 'backups': { 'paths': { '/home/git', + '/var/lib/gitea', }, }, 'gitea': { @@ -44,6 +45,23 @@ defaults = { }, }, }, + 'zfs': { + 'datasets': { + 'tank/gitea': {}, + 'tank/gitea/home': { + 'mountpoint': '/home/git', + 'needed_by': { + 'directory:/home/git', + }, + }, + 'tank/gitea/var': { + 'mountpoint': '/var/lib/gitea', + 'needed_by': { + 'directory:/var/lib/gitea', + }, + }, + }, + }, } @@ -57,7 +75,8 @@ def nginx(metadata): return { 'nginx': { 'vhosts': { - metadata.get('gitea/domain'): { + 'gitea': { + 'domain': metadata.get('gitea/domain'), 'locations': { '/': { 'target': 'http://127.0.0.1:22000', diff --git a/bundles/grafana/dashboard-rows/cpu.py b/bundles/grafana/dashboard-rows/cpu.py index e370d5e..1279b2e 100644 --- a/bundles/grafana/dashboard-rows/cpu.py +++ b/bundles/grafana/dashboard-rows/cpu.py @@ -9,6 +9,8 @@ def dashboard_row_cpu(panel_id, node): 'iowait', 'nice', 'softirq', + 'guest', + 'guest_nice', ]: queries_cpu.append({ 'groupBy': [ diff --git a/bundles/jenkins-ci/files/ssh-config b/bundles/jenkins-ci/files/ssh-config new file mode 100644 index 0000000..564c5f9 --- /dev/null +++ b/bundles/jenkins-ci/files/ssh-config @@ -0,0 +1,3 @@ +Host * + UserKnownHostsFile /dev/null + StrictHostKeyChecking no diff --git a/bundles/jenkins-ci/items.py b/bundles/jenkins-ci/items.py index ff49882..03e627e 100644 --- a/bundles/jenkins-ci/items.py +++ b/bundles/jenkins-ci/items.py @@ -1,14 +1,41 @@ +directories = { + '/var/lib/jenkins': { + 'owner': 'jenkins', + 'group': 'jenkins', + 'needs': { + 'pkg_apt:jenkins', + }, + }, + '/var/lib/jenkins/.ssh': { + 'mode': '0755', + 'owner': 'git', + 'group': 'git', + }, +} + files = { '/etc/default/jenkins': { 'triggers': { 'svc_systemd:jenkins:restart', }, }, + '/var/lib/jenkins/.ssh/config': { + 'source': 'ssh-config', + }, } +if node.metadata.get('jenkins-ci/install_ssh_key', False): + files['/var/lib/jenkins/.ssh/id_ed25519'] = { + 'content': repo.vault.decrypt_file(f'jenkins-ci/files/ssh-keys/{node.name}.key.vault'), + 'mode': '0600', + 'owner': 'jenkins', + 'group': 'jenkins', + } + svc_systemd = { 'jenkins': { 'needs': { + 'directory:/var/lib/jenkins', 'pkg_apt:jenkins', }, }, diff --git a/bundles/jenkins-ci/metadata.py b/bundles/jenkins-ci/metadata.py index 0cd5e59..fae8052 100644 --- a/bundles/jenkins-ci/metadata.py +++ b/bundles/jenkins-ci/metadata.py @@ -21,4 +21,14 @@ defaults = { '/var/lib/jenkins', }, }, + 'zfs': { + 'datasets': { + 'tank/jenkins': { + 'mountpoint': '/var/lib/jenkins', + 'needed_by': { + 'pkg_apt:jenkins', + }, + }, + }, + }, } diff --git a/bundles/mx-puppet-discord/files/config.yaml b/bundles/mx-puppet-discord/files/config.yaml index a93c889..6be98d2 100644 --- a/bundles/mx-puppet-discord/files/config.yaml +++ b/bundles/mx-puppet-discord/files/config.yaml @@ -16,6 +16,12 @@ provisioning: - "${regex}" % endfor +namePatterns: + user: ":name (Discord)" + userOverride: ":displayname (Discord)" + room: "#:name (Discord - :guild)" + group: ":name" + database: connString: "postgres://${node.metadata['mx-puppet-discord']['database']['user']}:${node.metadata['mx-puppet-discord']['database']['password']}@${node.metadata['mx-puppet-discord']['database'].get('host', 'localhost')}/${node.metadata['mx-puppet-discord']['database']['database']}?sslmode=disable" diff --git a/bundles/php/files/8.0/fpm.conf b/bundles/php/files/8.0/fpm.conf new file mode 100644 index 0000000..c4d6412 --- /dev/null +++ b/bundles/php/files/8.0/fpm.conf @@ -0,0 +1,23 @@ +[global] +pid=/run/php/php8.0-fpm.pid +; We're using journal, put logs there +error_log=/var/log/php8.0-fpm.log +daemonize=yes + +; The one and only worker pool we have +[www] +user=www-data +group=www-data +listen=/run/php/php8.0-fpm.sock +listen.owner=www-data +listen.group=www-data +listen.mode=0600 + +; Process Manager Settings +pm=dynamic +pm.max_children=${num_cpus*4} +pm.start_servers=${num_cpus} +pm.max_spare_servers=${num_cpus*2} +pm.min_spare_servers=${num_cpus} +pm.process_idle_timeout=30s +pm.max_requests=1024 diff --git a/bundles/php/files/8.0/php.ini b/bundles/php/files/8.0/php.ini new file mode 100644 index 0000000..45b78bf --- /dev/null +++ b/bundles/php/files/8.0/php.ini @@ -0,0 +1,99 @@ +[PHP] +; Only needed for libapache2-mod-php? +engine = On +short_open_tag = Off +precision = 14 +output_buffering = 4096 +zlib.output_compression = Off +implicit_flush = Off +serialize_precision = -1 +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals +ignore_user_abort = Off +zend.enable_gc = On +expose_php = Off + +max_execution_time = 30 +max_input_time = 60 +memory_limit = 256M + +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_startup_errors = Off +log_errors = On +log_errors_max_len = 1024 +ignore_repeated_errors = Off +ignore_repeated_source = Off +report_memleaks = On +html_errors = On +error_log = syslog +syslog.ident = php7.4 +syslog.filter = ascii + +arg_separator.output = "&" +variables_order = "GPCS" +request_order = "GP" +register_argc_argv = Off +auto_globals_jit = On +post_max_size = ${post_max_size}M +default_mimetype = "text/html" +default_charset = "UTF-8" + +enable_dl = Off +file_uploads = On +upload_max_filesize = ${post_max_size}M +max_file_uploads = 20 + +allow_url_fopen = On +allow_url_include = Off +default_socket_timeout = 10 + +[CLI Server] +cli_server.color = On + +[mail function] +mail.add_x_header = Off + +[ODBC] +odbc.allow_persistent = On +odbc.check_persistent = On +odbc.max_persistent = -1 +odbc.max_links = -1 +odbc.defaultlrl = 4096 +odbc.defaultbinmode = 1 + +[PostgreSQL] +pgsql.allow_persistent = On +pgsql.auto_reset_persistent = Off +pgsql.max_persistent = -1 +pgsql.max_links = -1 +pgsql.ignore_notice = 0 +pgsql.log_notice = 0 + +[bcmath] +bcmath.scale = 0 + +[Session] +session.save_handler = files +session.use_strict_mode = 0 +session.use_cookies = 1 +session.use_only_cookies = 1 +session.name = PHPSESSID +session.auto_start = 0 +session.cookie_lifetime = 0 +session.cookie_path = / +session.cookie_domain = +session.cookie_httponly = +session.cookie_samesite = +session.serialize_handler = php +session.gc_probability = 1 +session.gc_divisor = 1000 +session.gc_maxlifetime = 1440 +session.referer_check = +session.cache_limiter = nocache +session.cache_expire = 180 +session.use_trans_sid = 0 +session.sid_length = 32 +session.trans_sid_tags = "a=href,area=href,frame=src,form=" +session.sid_bits_per_character = 6 + +[Assertion] +zend.assertions = -1 diff --git a/bundles/postfix/files/arch-override.conf b/bundles/postfix/files/arch-override.conf new file mode 100644 index 0000000..3b3e46d --- /dev/null +++ b/bundles/postfix/files/arch-override.conf @@ -0,0 +1,6 @@ +[Service] +# arch postfix is not set up for chrooting by default +ExecStartPre=-/usr/sbin/mkdir -p /var/spool/postfix/etc +% for file in ['/etc/localtime', '/etc/nsswitch.conf', '/etc/resolv.conf', '/etc/services']: +ExecStartPre=-/usr/sbin/cp -p ${file} /var/spool/postfix${file} +% endfor diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 1ca260b..7346fe3 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -21,7 +21,7 @@ for identifier in node.metadata.get('postfix/mynetworks', set()): netmask = '128' mynetworks.add(f'[{ip6}]/{netmask}') -my_package = 'pkg_pacman:postfix' if node.has_bundle('pacman') else 'pkg_apt:postfix' +my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix' files = { '/etc/mailname': { @@ -86,3 +86,13 @@ svc_systemd = { }, }, } + +if node.os == 'arch': + files['/etc/systemd/system/postfix.service.d/bundlewrap.conf'] = { + 'source': 'arch-override.conf', + 'content_type': 'mako', + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:postfix:restart', + }, + } diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 759f693..b9219f1 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -25,6 +25,7 @@ defaults = { 'pacman': { 'packages': { 'postfix': {}, + 's-nail': {}, }, }, } diff --git a/bundles/simple-icinga-dashboard/items.py b/bundles/simple-icinga-dashboard/items.py index c69c9df..74f05db 100644 --- a/bundles/simple-icinga-dashboard/items.py +++ b/bundles/simple-icinga-dashboard/items.py @@ -34,7 +34,7 @@ directories = { git_deploy = { '/opt/simple-icinga-dashboard/src': { - 'repo': 'https://git.kunsmann.eu/sophie/simple-icinga-dashboard.git', + 'repo': 'https://git.franzi.business/sophie/simple-icinga-dashboard.git', 'rev': 'main', 'triggers': { 'action:simple-icinga-dashboard_install_requirements', diff --git a/data/gitea/files/ssh-keys/htz.ex42-1048908.key.vault b/data/gitea/files/ssh-keys/rx300.key.vault similarity index 100% rename from data/gitea/files/ssh-keys/htz.ex42-1048908.key.vault rename to data/gitea/files/ssh-keys/rx300.key.vault diff --git a/data/gitea/files/ssh-keys/htz.ex42-1048908.pub b/data/gitea/files/ssh-keys/rx300.pub similarity index 100% rename from data/gitea/files/ssh-keys/htz.ex42-1048908.pub rename to data/gitea/files/ssh-keys/rx300.pub diff --git a/data/jenkins-ci/files/ssh-keys/rx300.key.vault b/data/jenkins-ci/files/ssh-keys/rx300.key.vault new file mode 100644 index 0000000..e56190a --- /dev/null +++ b/data/jenkins-ci/files/ssh-keys/rx300.key.vault @@ -0,0 +1 @@ +encrypt$gAAAAABg6vNNuCZcmhH52dQDiD4ePsbXhz0kHSjqX3yduJ6E5NylWEdKNtjtrfc9bu1WNnDBO0YpsqxIeax2u1xc6gstohVfbu2MgwGJKpA7J5Py6xiQL82YKJcwV7k0EZ7ilWbqlzXuSDh40KG3GWOTPiw_CbsbDEpCU09x1hUs1_0BTPAU6ln4t7ync7ZjFZf_vRBTlrnZWchzXoSwppzedAZeaptfhMWn_-8oARoYvxJf3pkmTSGjovNMvDak_sscq_M2rldng6_oboR4iTo_6eY6bpCjEGD3xMeSzLhDZsJ4c0l9bZBDef-NRWA7Ewptc4KYKVvzKlgyrByqSV8TCmYn4aBgOusv-VAW3VqKg2rHi3nq5L50zkPwWmHC6_rdtIS-pAlnR5A0HJYdXGyf2eQSq3UkrZA3BIFlqUWrvS8aTWxp9CUL5C9oRGpL8P3fVfExiqhmcLGamHZb1Y2kjxX8EMcSCRLgiVO9DwIpXlEm86HfgVcXaL0wpibM32PD0sspOPILThE5P9WETGhpFAWDkWR0WaYQjZuAVlXTtk8tgdh0vC2auQl2pEVbvvnZaa04Ohp2QgE3AJLg3tdekLciwCQmPm0bpX8xYvJ49vNWG-SCaAlLHzLVIMFXFY53-SBOHYnE \ No newline at end of file diff --git a/data/jenkins-ci/files/ssh-keys/rx300.pub b/data/jenkins-ci/files/ssh-keys/rx300.pub new file mode 100644 index 0000000..55ce7ec --- /dev/null +++ b/data/jenkins-ci/files/ssh-keys/rx300.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZnYhsdtGUYJiFcvfqTLljGkInnFTOoDF/WZniLtPjH diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business index 3fadfdb..b811603 100644 --- a/data/powerdns/files/bind-zones/franzi.business +++ b/data/powerdns/files/bind-zones/franzi.business @@ -2,8 +2,9 @@ ${header} $ORIGIN franzi.business. -@ IN A 94.130.52.224 - IN AAAA 2a01:4f8:10b:2a5f::2 +; ends up on rx300.kunbox.net +@ IN A 31.47.232.106 + IN AAAA 2a00:f820:528::2 IN MX 10 mx0.kunbox.net. IN TXT "v=spf1 mx ~all" @@ -13,6 +14,9 @@ chat IN AAAA 2a01:4f8:10b:2a5f::2 dimension IN A 94.130.52.224 dimension IN AAAA 2a01:4f8:10b:2a5f::2 +git IN CNAME rx300.kunbox.net. +jenkins IN CNAME rx300.kunbox.net. + matrix IN A 94.130.52.224 matrix IN AAAA 2a01:4f8:10b:2a5f::2 @@ -24,7 +28,6 @@ sewfile IN CNAME sewfile.htz-cloud.kunbox.net. rss IN CNAME rx300.kunbox.net. status IN CNAME icinga2.ovh.kunbox.net. - travelynx IN CNAME rx300.kunbox.net. unicornsden IN CNAME rx300.kunbox.net. diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu index b38fcf0..8f10382 100644 --- a/data/powerdns/files/bind-zones/kunsmann.eu +++ b/data/powerdns/files/bind-zones/kunsmann.eu @@ -10,17 +10,11 @@ $ORIGIN kunsmann.eu. dav IN A 94.130.52.224 dav IN AAAA 2a01:4f8:10b:2a5f::2 -git IN A 94.130.52.224 -git IN AAAA 2a01:4f8:10b:2a5f::2 - grafana IN CNAME influxdb.htz-cloud.kunbox.net. icinga IN CNAME icinga2.ovh.kunbox.net. influxdb IN CNAME influxdb.htz-cloud.kunbox.net. statusmonitor.icinga IN CNAME icinga2.ovh.kunbox.net. -jenkins IN A 94.130.52.224 -jenkins IN AAAA 2a01:4f8:10b:2a5f::2 - mta-sts IN A 94.130.52.224 mta-sts IN AAAA 2a01:4f8:10b:2a5f::2 @@ -29,8 +23,8 @@ luther-ps IN CNAME luther.htz-cloud.kunbox.net. paste IN A 94.130.52.224 paste IN AAAA 2a01:4f8:10b:2a5f::2 -rss IN A 94.130.52.224 -rss IN AAAA 2a01:4f8:10b:2a5f::2 +; legacy, for redirect +git IN CNAME ex42-1048908.htz.kunbox.net. _dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@kunsmann.eu; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" _mta-sts IN TXT "v=STSv1;id=20201111;" diff --git a/data/travelynx/files/imprint/rx300 b/data/travelynx/files/imprint/rx300 index 77cb78a..031c68d 100644 --- a/data/travelynx/files/imprint/rx300 +++ b/data/travelynx/files/imprint/rx300 @@ -9,7 +9,7 @@

Datenschutz

Logdateien des Webservers

-

Der Webserver fertigt keine Logdateien an. Interessierte können sich in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen.

+

Der Webserver fertigt keine Logdateien an. Interessierte können sich in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen.

Account-spezifische Daten

diff --git a/libs/faults.py b/libs/faults.py index 2995249..ad3735c 100644 --- a/libs/faults.py +++ b/libs/faults.py @@ -1,6 +1,39 @@ from json import loads, dumps from bundlewrap.metadata import metadata_to_json +from bundlewrap.utils import Fault + def resolve_faults(dictionary: dict) -> dict: return loads(metadata_to_json(dictionary)) + + +def ensure_fault_or_none(maybe_fault): + if maybe_fault is None or isinstance(maybe_fault, Fault): + return maybe_fault + + return Fault(maybe_fault, lambda f: f, f=maybe_fault) + + +def join_faults(faults, by=' '): + result = [] + id_list = [] + + for item in faults: + result.append(ensure_fault_or_none(item)) + + if isinstance(item, Fault): + id_list += item.id_list + else: + id_list.append(item) + + id_list += [ + 'joined_by', + by, + ] + + return Fault( + id_list, + lambda o: by.join([i.value for i in o]), + o=result, + ) diff --git a/nodes/aurto.py b/nodes/aurto.py index 69fda0b..45d1adf 100644 --- a/nodes/aurto.py +++ b/nodes/aurto.py @@ -2,6 +2,7 @@ nodes['aurto'] = { 'hostname': '31.47.232.107', 'bundles': { 'backup-client', + 'check-mail-received', }, 'groups': { 'arch', @@ -18,6 +19,13 @@ nodes['aurto'] = { '/var/cache/pacman/aurto', }, }, + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, + }, 'interfaces': { 'enp1s0': { 'ips': { @@ -55,6 +63,9 @@ nodes['aurto'] = { # kunsi 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA', 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971', + # n0emis + 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu', + 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== simeon@noemis.me (OLD)', }, }, 'kunsi': { diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 5953245..18b1b76 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -1,5 +1,6 @@ nodes['htz-cloud.pirmasens'] = { 'bundles': { + 'check-mail-received', 'dovecot', 'php', 'postfixadmin', @@ -23,6 +24,13 @@ nodes['htz-cloud.pirmasens'] = { 'gateway6': 'fe80::1', }, }, + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, + }, 'icinga_options': { 'pretty_name': 'kunsmann.info', }, diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index f6d2418..cae81bf 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -1,9 +1,10 @@ nodes['htz.ex42-1048908'] = { 'bundles': { + 'check-mail-received', 'dovecot', 'element-web', - 'gitea', - 'jenkins-ci', +# 'gitea', +# 'jenkins-ci', 'lm-sensors', 'matrix-media-repo', 'matrix-synapse', @@ -86,8 +87,12 @@ nodes['htz.ex42-1048908'] = { '/opt/matrix/matrix-dimension', }, }, - 'cron': { - 'telekom_nervkram': vault.decrypt('encrypt$gAAAAABfqXi23M96wrSLhqlbhqgePYX06LjPXfyQU2y_07kqYYLztj_PhS1-dk4r5FiiL2Ofmx5iCKW1sZNqiQSuHj2uKaitH0GnwHqj5CI2JwkAS9HrFxw=').format_into('0 0 * * * root date | mail -s \'daily test mail \' -r postmaster@mx0.kunbox.net {}'), + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, }, 'element-web': { 'url': 'chat.franzi.business', @@ -113,27 +118,27 @@ nodes['htz.ex42-1048908'] = { }, }, }, - 'gitea': { - 'version': '1.14.3', - 'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2', - 'domain': 'git.kunsmann.eu', - 'email_domain_blocklist': { - 'gmail.com', - 'yahoo.com', - 'aol.com', - 'comcast.net', - 'verizon.net', - 'hotmail.com', - 'cox.net', - 'msn.com', - }, - 'enable_git_hooks': True, - 'install_ssh_key': True, - 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), - 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), - 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), - 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), - }, +# 'gitea': { +# 'version': '1.14.3', +# 'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2', +# 'domain': 'git.kunsmann.eu', +# 'email_domain_blocklist': { +# 'gmail.com', +# 'yahoo.com', +# 'aol.com', +# 'comcast.net', +# 'verizon.net', +# 'hotmail.com', +# 'cox.net', +# 'msn.com', +# }, +# 'enable_git_hooks': True, +# 'install_ssh_key': True, +# 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), +# 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), +# 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), +# 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), +# }, 'icinga_options': { 'pretty_name': 'kunsmann.eu', }, @@ -295,46 +300,53 @@ nodes['htz.ex42-1048908'] = { }, }, }, - 'franzi.business': { - 'webroot': '/var/www/franzi.business/_site/', - 'locations': { - '/.well-known/matrix/client': { - 'return': json_dumps({ - 'm.homeserver': { - 'base_url': 'https://matrix.franzi.business', - }, - 'm.identity_server': { - 'base_url': 'https://matrix.org', - }, - 'im.vector.riot.jitsi': { - 'preferredDomain': 'meet.ffmuc.net', - }, - }, sort_keys=True), - 'additional_config': { - 'default_type application/json', - 'add_header Access-Control-Allow-Origin *', - }, - }, - '/.well-known/matrix/server': { - 'return': json_dumps({ - 'm.server': 'https://matrix.franzi.business', - }, sort_keys=True), - 'additional_config': { - 'default_type application/json', - 'add_header Access-Control-Allow-Origin *', - }, - }, - }, - }, - 'jenkins.kunsmann.eu': { +# 'franzi.business': { +# 'webroot': '/var/www/franzi.business/_site/', +# 'locations': { +# '/.well-known/matrix/client': { +# 'return': json_dumps({ +# 'm.homeserver': { +# 'base_url': 'https://matrix.franzi.business', +# }, +# 'm.identity_server': { +# 'base_url': 'https://matrix.org', +# }, +# 'im.vector.riot.jitsi': { +# 'preferredDomain': 'meet.ffmuc.net', +# }, +# }, sort_keys=True), +# 'additional_config': { +# 'default_type application/json', +# 'add_header Access-Control-Allow-Origin *', +# }, +# }, +# '/.well-known/matrix/server': { +# 'return': json_dumps({ +# 'm.server': 'matrix.franzi.business:443', +# }, sort_keys=True), +# 'additional_config': { +# 'default_type application/json', +# 'add_header Access-Control-Allow-Origin *', +# }, +# }, +# }, +# }, + 'git.kunsmann.eu': { 'locations': { '/': { - 'target': 'http://localhost:22010/', + 'redirect': 'https://git.franzi.business$request_uri', }, }, - 'website_check_path': '/login', - 'website_check_string': 'Welcome to Jenkins', }, +# 'jenkins.kunsmann.eu': { +# 'locations': { +# '/': { +# 'target': 'http://localhost:22010/', +# }, +# }, +# 'website_check_path': '/login', +# 'website_check_string': 'Welcome to Jenkins', +# }, 'kunbox.net': {}, 'kunsmann.eu': { 'locations': { @@ -384,7 +396,7 @@ nodes['htz.ex42-1048908'] = { }, '/.well-known/matrix/server': { 'return': json_dumps({ - 'm.server': 'https://matrix.franzi.business', + 'm.server': 'matrix.franzi.business:443', }, sort_keys=True), 'additional_config': { 'default_type application/json', diff --git a/nodes/rx300.py b/nodes/rx300.py index 636ed45..d66a7b0 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -7,8 +7,12 @@ nodes['rx300'] = { 'hostname': '31.47.232.106', 'bundles': { + 'check-mail-received', + 'gitea', + 'jenkins-ci', 'lm-sensors', 'miniflux', + 'php', 'postgresql', 'smartd', 'travelynx', @@ -33,6 +37,15 @@ nodes['rx300'] = { 'apt': { 'packages': { 'ipmitool': {}, + + # for franzi.business deployment + 'ruby': {}, + 'ruby-dev': {}, + 'ruby-bundler': {}, + + # more php + 'php-imagick': {}, + 'php-yaml': {}, }, # XXX remove this once nginx.org has packages for debian bullseye 'repos': { @@ -43,23 +56,105 @@ nodes['rx300'] = { }, }, }, + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, + }, + 'gitea': { + 'version': '1.14.4', + 'sha256': 'e1ce2fadcf6561cb2543b44b9f1382d6ce4be29ed8edd6d9d7080a218aa114b0', + 'domain': 'git.franzi.business', + 'email_domain_blocklist': { + 'gmail.com', + 'yahoo.com', + 'aol.com', + 'comcast.net', + 'verizon.net', + 'hotmail.com', + 'cox.net', + 'msn.com', + }, + 'enable_git_hooks': True, + 'install_ssh_key': True, + 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), + 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), + 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), + 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), + }, 'icinga_options': { 'pretty_name': 'franzi.business', }, + 'jenkins-ci': { + 'install_ssh_key': True, + }, 'miniflux': { 'domain': 'rss.franzi.business', }, 'nginx': { 'vhosts': { - 'miniflux': { + 'gitea': {'ssl': '_.franzi.business'}, + 'miniflux': {'ssl': '_.franzi.business'}, + 'franzi.business': { + 'webroot': '/var/www/franzi.business/_site/', 'ssl': '_.franzi.business', + 'locations': { + '/.well-known/matrix/client': { + 'return': json_dumps({ + 'm.homeserver': { + 'base_url': 'https://matrix.franzi.business', + }, + 'm.identity_server': { + 'base_url': 'https://matrix.org', + }, + 'im.vector.riot.jitsi': { + 'preferredDomain': 'meet.ffmuc.net', + }, + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + '/.well-known/matrix/server': { + 'return': json_dumps({ + 'm.server': 'matrix.franzi.business:443', + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + }, }, - 'unicornsden': { + 'jenkins': { + 'domain': 'jenkins.franzi.business', + 'ssl': '_.franzi.business', + 'locations': { + '/': { + 'target': 'http://localhost:22010/', + }, + }, + 'website_check_path': '/login', + 'website_check_string': 'Welcome to Jenkins', + }, + 'unicornsden-redirect': { 'domain': 'unicornsden.franzi.business', 'ssl': '_.franzi.business', + 'locations': { + '/': { + 'redirect': 'https://map.unicornsden.com/', + }, + }, + }, + 'unicornsden': { + 'domain': 'map.unicornsden.com', + 'php': True, 'webroot_config': { - 'owner': 'kunsi', - 'group': 'kunsi', + 'owner': 'jenkins', + 'group': 'jenkins', 'mode': '0755', }, }, @@ -80,6 +175,19 @@ nodes['rx300'] = { }, }, }, + 'php': { + 'version': '8.0', + 'packages': { + 'gd', + 'imap', + 'intl', + 'mbstring', + 'opcache', + 'pgsql', + 'readline', + 'xml', + }, + }, 'postgresql': { 'version': '13', },